<html>
<head><meta charset="utf-8"><title>from_raw_fd unsafety · general · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/index.html">general</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html">from_raw_fd unsafety</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="167975885"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167975885" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167975885">(Jun 12 2019 at 18:49)</a>:</h4>
<p><a href="https://doc.rust-lang.org/std/os/unix/io/trait.FromRawFd.html#tymethod.from_raw_fd" target="_blank" title="https://doc.rust-lang.org/std/os/unix/io/trait.FromRawFd.html#tymethod.from_raw_fd"><code>FromRawFd::from_raw_fd</code></a></p>
<blockquote>
<p>This function is also unsafe as the primitives currently returned have the contract that they are the sole owner of the file descriptor they are wrapping. Usage of this function could accidentally allow violating this contract which can cause memory unsafety in code that relies on it being true.</p>
</blockquote>
<p>I'm having trouble constructing an example where misuse of this function can create memory unsafety — any ideas?</p>



<a name="167977701"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167977701" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167977701">(Jun 12 2019 at 19:06)</a>:</h4>
<p>I could imagine a library that has internal invariants on some file-descriptor-accessible data</p>



<a name="167977712"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167977712" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167977712">(Jun 12 2019 at 19:06)</a>:</h4>
<p>and that library could rely on those invariants for safety</p>



<a name="167977721"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167977721" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167977721">(Jun 12 2019 at 19:06)</a>:</h4>
<p>at that point, messing with that FD can cause unsafety</p>



<a name="167978180"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167978180" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167978180">(Jun 12 2019 at 19:12)</a>:</h4>
<p>I think that's a hint too abstract for me to grok; what would "internal invariants on some file-descriptor-accessible data" look like?</p>



<a name="167978224"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167978224" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167978224">(Jun 12 2019 at 19:13)</a>:</h4>
<p>presumably something like sqlite keeping a file open and validating it once that it's "correct" and after that transmuting from file bytes to structs and such</p>



<a name="167978240"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167978240" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167978240">(Jun 12 2019 at 19:13)</a>:</h4>
<p>(this is very abstract and maybe not realistic but something like that is the best I can come up with quickly)</p>



<a name="167978316"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167978316" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167978316">(Jun 12 2019 at 19:14)</a>:</h4>
<p>presumably this might be a file created via some OS-temporary file abstraction where the "path" to it doesn't exist, too, so the invariant can only be bypassed via synthesis of a file descriptor</p>



<a name="167978689"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167978689" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167978689">(Jun 12 2019 at 19:19)</a>:</h4>
<blockquote>
<p>transmuting from file bytes to structs</p>
</blockquote>
<p>Hmm, but a file descriptor itself doesn't have any of this; so would this imply using something like mmap on the file descriptor, adding an extra layer in the middle?</p>



<a name="167979602"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167979602" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167979602">(Jun 12 2019 at 19:30)</a>:</h4>
<p>sure, or just <code>read_to_end</code> and transmute</p>



<a name="167979610"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167979610" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167979610">(Jun 12 2019 at 19:30)</a>:</h4>
<p>on a <code>File</code> created from the raw fd</p>



<a name="167981642"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167981642" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167981642">(Jun 12 2019 at 19:55)</a>:</h4>
<p>yeah, private mmap'ed memory would be one thing. I once contorted this example for another case:<br>
<a href="https://github.com/rust-lang/rust/issues/39575#issuecomment-437658766" target="_blank" title="https://github.com/rust-lang/rust/issues/39575#issuecomment-437658766">https://github.com/rust-lang/rust/issues/39575#issuecomment-437658766</a></p>



<a name="167981684"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/167981684" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#167981684">(Jun 12 2019 at 19:56)</a>:</h4>
<p>pipes are another example of a private resource that can be "de-privatized" with <code>from_raw_fd</code></p>



<a name="168054822"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168054822" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168054822">(Jun 13 2019 at 15:18)</a>:</h4>
<p>So, I can see how your break encapsulation and visibility with it, but I can't see the unsafety. "stealing" someones <code>File</code> by picking the same fd and then calling <code>read_to_end</code> on it will make it so that there's no data left in the file, but... so what?</p>



<a name="168054898"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168054898" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168054898">(Jun 13 2019 at 15:19)</a>:</h4>
<p>(gonna read Ralf's code example now)</p>



<a name="168056372"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168056372" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168056372">(Jun 13 2019 at 15:34)</a>:</h4>
<p>So, that example creates an anonymous pipe and relies on the fact that no one but the creator of the pipe can write to it. It then says that some unsafe behavior can be predicated on the result of reading from the pipe. If someone else gets the ability to write to the pipe, then the encapsulation of the unsafety is broken and the code might cause UB.</p>



<a name="168056766"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168056766" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168056766">(Jun 13 2019 at 15:39)</a>:</h4>
<p>However, that's already trivially broken, AFAIK, because I can just write to <code>/proc/&lt;rust pid&gt;/fd/&lt;whatever pipe is&gt;</code></p>



<a name="168056800"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168056800" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168056800">(Jun 13 2019 at 15:39)</a>:</h4>
<p>The encapsulation was false to start with (similar to how mmap cannot be contained inside of a Rust program)</p>



<a name="168057327"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168057327" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168057327">(Jun 13 2019 at 15:44)</a>:</h4>
<p>If you involve <code>/proc/&lt;pid&gt;</code> then you can just as well write to <code>/proc/&lt;pid&gt;/mem</code> and all memory safety guarantees go out the window anyway</p>



<a name="168057608"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168057608" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168057608">(Jun 13 2019 at 15:48)</a>:</h4>
<p>hmm.</p>



<a name="168057663"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168057663" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168057663">(Jun 13 2019 at 15:48)</a>:</h4>
<p>What's the difference between that and mmap then?</p>



<a name="168058279"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168058279" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168058279">(Jun 13 2019 at 15:56)</a>:</h4>
<p>I think the claim is that (at least in theory) here you can have complete control (other than proc) over the file descriptor vs. mmap'ing a file where it's "public"</p>



<a name="168058451"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168058451" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168058451">(Jun 13 2019 at 15:57)</a>:</h4>
<blockquote>
<p>So, I can see how your break encapsulation and visibility with it, but I can't see the unsafety. "stealing" someones <code>File</code> by picking the same fd and then calling <code>read_to_end</code> on it will make it so that there's no data left in the file, but... so what?</p>
</blockquote>
<p>Rust's safety entirely relies on proper enforcment of encapsulation and visibility! Just imagine <code>Vec::len</code> would be public...</p>



<a name="168058607"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168058607" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168058607">(Jun 13 2019 at 15:59)</a>:</h4>
<p>hm good point about <code>/proc/&lt;pid&gt;/fd</code>, I had forgotten about that. Though <span class="user-mention" data-user-id="124289">@rkruppe</span>'s point also stands.</p>



<a name="168058699"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168058699" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168058699">(Jun 13 2019 at 16:00)</a>:</h4>
<p><span class="user-mention" data-user-id="116155">@Jake Goulding</span> do you mean mmap of a file on the file system? Good question. I guess one difference is whether the "attacker" is in the same process or not.</p>



<a name="168058708"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168058708" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168058708">(Jun 13 2019 at 16:00)</a>:</h4>
<p>But it's a fuzzy distinction indeed.</p>



<a name="168059040"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168059040" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168059040">(Jun 13 2019 at 16:04)</a>:</h4>
<p>I think the loose conclusion right now that is that mmap is inherently UB pretty much if anyone touches the file other than the Rust mmap'd process (or you always use atomic single-byte raw ptr reads maybe? not sure)</p>



<a name="168059102"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168059102" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168059102">(Jun 13 2019 at 16:05)</a>:</h4>
<p>no you are fine if you consider the mmap'd file as <code>&amp;[AtomicU8]</code> I think</p>



<a name="168059115"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168059115" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168059115">(Jun 13 2019 at 16:05)</a>:</h4>
<p>(and larger-sized atomic types also work)</p>



<a name="168059949"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168059949" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168059949">(Jun 13 2019 at 16:14)</a>:</h4>
<p><span class="user-mention" data-user-id="116155">@Jake Goulding</span> a trivial example of unsafety is in <code>from_raw_fd(file.as_raw_fd())</code> – which then (if you forgot to forgot one of the <code>File</code>s) ends up being a double free of a resource.</p>



<a name="168059965"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168059965" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168059965">(Jun 13 2019 at 16:14)</a>:</h4>
<p><span class="user-mention" data-user-id="116155">@Jake Goulding</span> now imagine if <code>file</code> was actually a wrapper over a memory map + a backing memfd file.</p>



<a name="168060000"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168060000" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168060000">(Jun 13 2019 at 16:15)</a>:</h4>
<p>your memory map would then get released and you would begin accessing freed memory from your wrapper which still thinks that the file is "open" and the memory map is valid.</p>



<a name="168060005"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168060005" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168060005">(Jun 13 2019 at 16:15)</a>:</h4>
<p>So in code:</p>



<a name="168060262"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168060262" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168060262">(Jun 13 2019 at 16:18)</a>:</h4>
<div class="codehilite"><pre><span></span><span class="k">struct</span> <span class="nc">MemfdWrapper</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="k">pub</span><span class="w"> </span><span class="n">file</span>: <span class="nc">File</span><span class="p">,</span><span class="w"></span>
<span class="w">    </span><span class="k">pub</span><span class="w"> </span><span class="n">map</span>: <span class="o">*</span><span class="k">mut</span><span class="w"> </span><span class="kt">u8</span><span class="p">,</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
<span class="kd">let</span><span class="w"> </span><span class="n">memory</span>: <span class="nc">MemfdWrapper</span><span class="p">;</span><span class="w"></span>
<span class="p">{</span><span class="w"></span>
<span class="w">     </span><span class="kd">let</span><span class="w"> </span><span class="n">arbitrary_file</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">File</span>::<span class="n">from_raw_fd</span><span class="p">(</span><span class="n">memory</span><span class="p">.</span><span class="n">file</span><span class="p">.</span><span class="n">as_raw_fd</span><span class="p">());</span><span class="w"></span>
<span class="p">}</span><span class="w"> </span><span class="c1">// The backing OS resource for `memory.file` is `close`d, and by extension the memory map which is backed by this file is also (implicitly) released.</span>

<span class="c1">// MemfdWrapper may be exposing safe API here to access contents of `map` with an assumption that `map` is always valid if `file` resource is held alive.</span>
</pre></div>



<a name="168076908"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168076908" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168076908">(Jun 13 2019 at 19:20)</a>:</h4>
<p><span class="user-mention" data-user-id="123586">@nagisa</span> I think a key thing I was forgetting that I see from your example is the point that these are <em>traits</em>, which means anything can implement them.</p>



<a name="168076965"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168076965" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168076965">(Jun 13 2019 at 19:21)</a>:</h4>
<p>It may be entirely impossible to get unsafety from <code>File::{into_raw_fd,from_raw_fd}</code>, but that doesn't mean that the trait's method is always safe</p>



<a name="168079813"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/from_raw_fd%20unsafety/near/168079813" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/from_raw_fd.20unsafety.html#168079813">(Jun 13 2019 at 19:55)</a>:</h4>
<p>Presuming nothing else exists, perhaps, but because file descriptors are a global resource I could see that being not quite true</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>